Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode stops after interface restart

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 260 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timus
      last edited by

      If I start/restart an interface while Inline mode is enabled it stops detecting and generating alerts. I then have to turn off the Inline mode, restart the interface then turn on Inline mode again for alerts to be detected. If I restart the interface again the alerts stop so I have to go through the process of disabling Inline Mode again.

      I'm running pfsense on a brand new Protectli FW4 with a J3160 CPU, 8GB RAM and intel i210-AT NICs so I don't think hardware is the issue.

      I've tried removing Suricata (including the setting) and setting everything up from scratch but the same thing happens when I restart an interface.

      Any help would be much appreciated.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        What version of pfSense are you running?

        Inline IPS Mode uses the netmap kernel device within FreeBSD. The API for that device is different between FreeBSD-11.3 (which the underlying OS for pfSense-2.4.5) and FreeBSD-12.1 (which is the underlying OS for pfSense-2.5). It is expected behavior for the netmap device to "down" and then "up" an interface when a netmap connection is "closed" and then "opened" by the Suricata binary. This is behavior the netmap device itself controls, and not something Suricata can stop.

        FreeBSD-12.1 has a new iflib wrapper API library for network card drivers to use. That API handles a lot of common functions now with regards to networking with the kernel that were formerly handled by code inside each NIC driver provided by the manufactureres. So that's why I asked about he pfSense version.

        I have not had another report of that kind of error. By turning off Inline Mode and restarting the interface, you are activating the PCAP mode using the libpcap library, and thus unhooking the netmap device from the NIC driver. It could be this is something unique to the particular NIC hardware you have. What driver family name is FreeBSD assigning to your NIC?

        1 Reply Last reply Reply Quote 0
        • T
          timus
          last edited by

          Looking at the pfsense version I get the following info.

          2.4.5-RELEASE-p1 (amd64)
          built on Tue Jun 02 17:51:17 EDT 2020
          FreeBSD 11.3-STABLE

          From my understanding that is the latest version as I only recently installed it the other day after purchasing the hardware. Inline mode seems to be stable prior to restarting the interface so I can get it working. The problem is if an interface restarts due to error suricata will stop working.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Yes, you have the current version of pfSense RELEASE. And FreeBSD-11.3 is not using the iflib subsystem.

            I'm not sure what could up with your setup. Thus far I've gotten no other reports like yours. Unfortunately I do not have anything to test on that has that NIC in it.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.